I am currently investigating how Effective Permissions calculations work on

Windows. I am considering all the server versions of Windows however I

restrict my discussion to Windows 2003 Server here as it has a tool to

calculate the Effective Permissions. My domain scenario is as follows:

 

Number of domains : 1 running on Win2k SP4 AS

I create a new user in the domain say UserX and a new global group say

GroupY and make UserX a member of GroupY.

 

To experiment with I first assigned Everyone group full control on a

particular directory and Authenticated Users only write control on the

directory. Now according to Microsoft Everyone group includes Authenticated

Users too. So whenever effective permissions are being calculated for

Autenticated Users we should expect Auth Users to have full control. However

this does not happen.Instead Aut Users is shown as just having a "Write"

permission assigned to them. Howevever if I create domain user and specify an

ACE for the domain user on the folder saying that this domain user has "Read

Permissions" the Effective permissions tab for this user shows that he has

full control which is correct as the user gets the cumilative permissions of

the Everyone group and the Authenticated Users group. Why is there a

discrepancy between the results shown for Auth Users and results shown for

the domain user?

 

The same situation exists for any domain group too. The effective

permissions calculation does not seem to taking into account that the NT

Authority\Users group on the system that I am currently carrying out my

experiments also contains the <DOMAIN NAME>\Domain Users group which in turn

contains the Global group G I have created.

 

Summarizing it seems like the effective permissions tool works perfectly for

users but it appears that it works differently for groups.

 

Can someone please help me out of this dilemma

 

Thanks and Regards

 

Prahalad

I am currently investigating how Effective Permissions calculations work on

Windows. I am considering all the server versions of Windows however I

restrict my discussion to Windows 2003 Server here as it has a tool to

calculate the Effective Permissions. My domain scenario is as follows:

 

Number of domains : 1 running on Win2k SP4 AS

I create a new user in the domain say UserX and a new global group say

GroupY and make UserX a member of GroupY.

 

To experiment with I first assigned Everyone group full control on a

particular directory and Authenticated Users only write control on the

directory. Now according to Microsoft Everyone group includes Authenticated

Users too. So whenever effective permissions are being calculated for

Autenticated Users we should expect Auth Users to have full control. However

this does not happen.Instead Aut Users is shown as just having a "Write"

permission assigned to them. Howevever if I create domain user and specify an

ACE for the domain user on the folder saying that this domain user has "Read

Permissions" the Effective permissions tab for this user shows that he has

full control which is correct as the user gets the cumilative permissions of

the Everyone group and the Authenticated Users group. Why is there a

discrepancy between the results shown for Auth Users and results shown for

the domain user?

 

The same situation exists for any domain group too. The effective

permissions calculation does not seem to taking into account that the NT

Authority\Users group on the system that I am currently carrying out my

experiments also contains the <DOMAIN NAME>\Domain Users group which in turn

contains the Global group G I have created.

 

Summarizing it seems like the effective permissions tool works perfectly for

users but it appears that it works differently for groups.

 

Can someone please help me out of this dilemma

 

Thanks and Regards

 

Prahalad